diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2005-11-08 21:34:33 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-11-09 07:55:51 -0800 |
commit | 25a74f3ba8efb394e9a30d6de37566bf03fd3de8 (patch) | |
tree | 8fbe98b01a13946c02a56ab7bab2c4ed077aee3f | |
parent | e517a0cd859ae0c4d9451107113fc2b076456f8f (diff) |
[PATCH] selinux: disable setxattr on mountpoint labeled filesystems
This patch disables the setting of SELinux xattrs on files created in
filesystems labeled via mountpoint labeling (mounted with the context=
option). selinux_inode_setxattr already prevents explicit setxattr from
userspace on such filesystems, so this provides consistent behavior for
file creation.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | security/selinux/hooks.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 45c41490d52..fc774436a26 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1986,6 +1986,9 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, inode_security_set_sid(inode, newsid); + if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) + return -EOPNOTSUPP; + if (name) { namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL); if (!namep) |